Friday, September 26, 2008

Cisco IOS privilege levels

The Cisco IOS supports 16 levels of privilege. By default user exec mode has privilege level 1 and privilege exec has privilege level 15. Upon initial access with a default configuration you are in exec mode with privilege level 1. This allows access to the basic commands show as ‘show ip route’ or ‘show ip interface’.

To access the complete command set users enter privilege exec mode by typing ‘enable’ and by default this moves the user to privilege level 15. As such this represents an ‘all or nothing’ approach to providing access within the IOS.

Within the IOS command set it is possible to configure further privilege levels that furnish access to pre-defined commands only. Thus providing a more graded approach to access.

First to view the default privilege level of commands this can be done by making use of the show parser dump command. For example

In the above show ip interface brief can be seen as available at privilege level 1, whereas debug ip packet detail is available at privilege level 15.

As an example I make the debug ip packet detail command available at level 7. There are 2 steps involved: create the enable password for level 7 and then redefine the privilege level of the required command.